cPHulk + nftables not working anymore on 128.0.13

henker

• June 13, 2025 10:26

I rebooted my server the other day and noticed that cPHulk didn't add IP addresses to nftables anymore. After some investigation, I found https://support.cpanel.net/hc/en-us/articles/31733253610519-cPHulk-chain-is-not-added-to-INPUT-filter-in-nftables-resulting-in-the-cPHulk-Firewall-chain-not-blocking-any-IPs - but this is not a workaround/does not work.

Previously, in combination with firewalld/nftables, in the table inet filter, cphulk-TempBan was added when cPHulk was started:

table inet filter {
        set cphulk-TempBan {
                type ipv4_addr
                timeout 23h59m58s
                elements = { x.x.x.x expires 23h28m41s801ms }
        }

        chain cphulk {
                ip saddr @cphulk-TempBan drop
        }

But not anymore, hence the "workaround" from above link does not work, as there is no cphulk chain !

I modfified /etc/firewalld/firewalld.conf and set
NftablesTableOwner=no AND added cphulk-TempBan and chain cphulk to nftables.
With that AND the jump rules from above link, offensive IPs are added again and show up in nftables, e.g.,

table inet filter {
        set cphulk-TempBan {
                type ipv4_addr
                timeout 23h59m59s
                elements = { x.x.x.x expires 2h18m35s800ms, x.x.x.x expires 18h10m21s742ms,
                             x.x.x.x expires 9h10m25s404ms, x.x.x.x expires 9h11m6s408ms,
                             etc.

There were many changes before the reboot: upgrade to cpanel 128.0.13, upgrade to Rocky Linux 9.6 including a kernel upgrade to  5.14.0-570.19.1.el9_6.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jun 7 09:41:17 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux .
nftables is version v1.0.9, firewalld is version 1.3.4.

Question is:
How can we ensure, the cphulk tables and chains are added to nftables the next time the server is rebooted ?

Adding something in /etc/rc.d/rc.local seems to be a very dirty workaround.
Apparently, there is a case CPANEL-47070 open.

Gemini tells me this:

• Historical Issues:

  There have been instances where cPHulk's nftables integration resulted in incorrect rule placement (not added to INPUT filter) or duplicate entries, leading to ineffective blocking. 

   
• Solutions:

  These issues have been addressed, and cPanel's development team is continuously working to improve the integration. Workarounds, such as manually adding the cPHulk chain to the INPUT filter, were provided while the bug was being resolved. 

   

 

• 

  cPRex Jurassic Moderator

  • June 13, 2025 13:12

  Hey there!  The best solution to this one is going to be to make a ticket, as the only workaround I have available for this issue is the one that you've said isn't working.  That indicates that direct troubleshooting on the affected machine may be required to resolve this, or perhaps you've run into a slightly different issue entirely.

  0
• 

  henker

  • June 13, 2025 13:13

  Thanks cPRex - but that's not an option, as I purchase through a reseller.

   

  0
• 

  cPRex Jurassic Moderator

  • June 13, 2025 13:18

  Sure it is - you'd reach out to them and then they'd escalate to us as necessary.

  0
• 

  henker

  • June 19, 2025 16:37

  Unfortunately, I do not share your optimism... but...

  is there an ETA when/if CPANEL-47070 will be closed ?

  In that case, the issue should be fixed anyway ?

   

  0
• 

  cPRex Jurassic Moderator

  • June 20, 2025 13:55

  I never provide ETAs for cases as there are so many things that can happen that can turn me into a liar :D

  I have messaged the devs to see if that can be given some priority.

  0

Please sign in to leave a comment.